Storing passwords in an external database

LDAP

We assume in this section that the rlm_ldap module is properly configured to connect to an LDAP server and retrieve attributes from it. Check the modules{} section in radiusd.conf.

You cannot authenticate users who connect from a SIP client directly to an LDAP server, as no LDAP server is able to handle the challenge computation needed in SIP authentication.

However, FreeRADIUS may pull out LDAP attributes during the authorization process, and map them to either User-Password or Digest-HA1 attributes, which will eventually be used for the actual authentication. Sensitive attributes will be carried over the established LDAP connection, so it is advisable to secure this connection.

In order to trigger the LDAP module during the authorization process, you need to uncomment the ldap line in the authorize{} section of the radiusd.conf file :

#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
ldap

The user record in the users file must not contain any password. Example for user "bob" :

bob

Clear text password storage

You can map the User-Password attribute to an LDAP attribute in the modules{} section in radiusd.conf. For example if the password is stored in a userPassword LDAP attribute :

password_attribute = userPassword

In this case, the userPassword value must be in clear text format. It is transmitted to FreeRADIUS over a network connection that should be secured.

Encrypted (Digest-HA1) password storage

Make sure the password_attribute line in the modules{} section has been commented out, as the User-Password is prefered over Digest-HA1 for authentication.

Make sure you are using freeradius 1.1.1 or later.

You can map the Digest-HA1 attribute to an LDAP attribute by editting the ldap.attrmap file. For example if the HA1 value is stored in a digestHA1 LDAP attribute :

checkItem Digest-HA1 digestHA1

In this case, the digestHA1 value must be stored as a 32 bytes text string. Example :